环境与工具配置
早前下载了LovelyMem工具,里面自带了volatility2和volatility3和对应版本的python,可以直接“拿来主义”,单独通过单独指令使用,也可使用LovelyMem方便的图形化界面,但是当前遇到配置环境部分环境缺失的问题,暂时未解决。
做题
那经验是必须积攒的,势必得多做题了
[HUBUCTF 2022 新生赛]vmem
vol3文件dump不下来,只能用vol2
先扫出内存文件信息(使用imageinfo指令):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 PS D:\> d:\CTF\Lovelymem\Tools\python27\python27.exe d:\CTF\Lovelymem\Tools\volatility2_python\vol.py -f d:\Desktop\Windows7.vmem imageinfoVolatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (D:\Desktop\Windows7.vmem) PAE type : No PAE DTB : 0 x187000L KDBG : 0 xf80003e560a0L Number of Processors : 4 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0 xfffff80003e57d00L KPCR for CPU 1 : 0 xfffff880009ef000L KPCR for CPU 2 : 0 xfffff88004569000L KPCR for CPU 3 : 0 xfffff880045df000L KUSER_SHARED_DATA : 0 xfffff78000000000L Image date and time : 2022 -09-06 06 :06 :43 UTC+0000 Image local date and time : 2022 -09-06 14 :06 :43 +0800
得到内存文件对应的系统版本和位数信息:Win2008R2SP1x64(因为Volatility所有插件都“假设”了操作系统内核结构,这会影响工具分析内存的方式,所以必须获取,后面写指令要用)
然后尝试扫描与flag相关的文件名信息:
1 2 3 4 5 6 7 8 9 10 PS D:\> d:\CTF\Lovelymem\Tools\python27\python27.exe d:\CTF\Lovelymem\Tools\volatility2_python\vol.py `>> -f d:\Desktop\Windows7.vmem ` >> --profile =Win2008R2SP1x64_23418 ` >> filescan | findstr flag Volatility Foundation Volatility Framework 2.6 0 x00000000067eca20 2 0 RW-rw- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\flag.lnk0 x000000005d98ecd0 1 0 R --r-d \Device\HarddiskVolume2\Users\admin\Desktop\flag2.png0 x000000005e7f5070 16 0 RW-rw- \Device\HarddiskVolume2\Users\admin\Documents\flag3.txt0 x000000005eb84f20 16 0 RW-r-- \Device\HarddiskVolume2\Users\admin\Desktop\secret\flag.txt0 x000000005f603570 2 0 RW-rw- \Device\HarddiskVolume2\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\flag2.lnk
注:有的CTFer分享自己的做题结果,在此处使用的是grep指令,但这是Linux指令,Windows的powershell应该用findstr或Select-String
现在找到了三个跟flag相关的文件(.lnk是快捷方式)
于是使用上面文件对应的内存地址并用以下指令提取文件至桌面:
1 2 3 PS D:\> d:\CTF\Lovelymem\Tools\python27\python27.exe d:\CTF\Lovelymem\Tools\volatility2_python\vol.py -f d:\Desktop\Windows7.vmem --profile =Win7SP1x64 dumpfiles -Q 0 x000000005eb84f20 -D d:\Desktop\Volatility Foundation Volatility Framework 2.6 DataSectionObject 0 x5eb84f20 None \Device\HarddiskVolume2\Users\admin\Desktop\secret\flag.txt
其中flag.txt直接给出flag第一部分,flag2.png用图片给出flag第二部分,flag3.txt是一段python代码,内容如下:
1 2 3 4 5 flag_enc = "" for i in range (len (flag3)): flag_enc += chr (ord (flag3[i]) ^ 0xf - 6 ) print (flag_enc)
很简单,把注释部分的内容运行一遍即可得到flag第三部分:
1 2 3 4 5 6 flag_enc = "}al):{m)yh{})fo)oehn)`z)3)VPF|V^hg](t " flag="" for i in range (len (flag_enc)): flag += chr (ord (flag_enc[i]) ^ 0xf -6 ) print (flag)
[蓝帽杯 2022 初赛]计算机取证_1
题目描述:现对一个windows计算机进行取证,请您对以下问题进行分析解答。从内存镜像中获得taqi7的开机密码是多少?
依旧先扫出内存文件信息(使用imageinfo指令):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 PS D:\> d:\CTF\Lovelymem\Tools\python27\python27.exe d:\CTF\Lovelymem\Tools\volatility2_python\vol.py -f d:\Desktop\1 .dmp imageinfo Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418 AS Layer1 : WindowsAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (D:\Desktop\1 .dmp) PAE type : No PAE DTB : 0 x187000L KDBG : 0 xf80003ffa0a0L Number of Processors : 1 Image Type (Service Pack) : 1 KPCR for CPU 0 : 0 xfffff80003ffbd00L KUSER_SHARED_DATA : 0 xfffff78000000000L Image date and time : 2022 -04-28 05 :54 :55 UTC+0000 Image local date and time : 2022 -04-28 13 :54 :55 +0800
Windows在运行时,必须把“解密SAM(储存用户+哈希)的钥匙”和“解密后的结构”真实地放在内存里。此时获取的内存dump文件中所有key已解密,所有结构已展开,系统正处于“可验证密码状态”,故可以从内存.dmp文件中直接获取到用户名与密码哈希。
这道题需要使用hashdump指令:
1 2 3 4 5 6 7 PS D:\> d:\CTF\Lovelymem\Tools\python27\python27.exe d:\CTF\Lovelymem\Tools\volatility2_python\vol.py -f d:\Desktop\1 .dmp --profile =Win2008R2SP1x64_23418 hashdumpVolatility Foundation Volatility Framework 2.6 Administrator:500 :aad3b435b51404eeaad3b435b51404ee:31 d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501 :aad3b435b51404eeaad3b435b51404ee:31 d6cfe0d16ae931b73c59d7e0c089c0::: taqi7:1000 :aad3b435b51404eeaad3b435b51404ee:7 f21caca5685f10d9e849cc84c340528::: naizheng:1002 :aad3b435b51404eeaad3b435b51404ee:d123b09e13b1a82277c3e3f0ca722060::: qinai:1003 :aad3b435b51404eeaad3b435b51404ee:1 c333843181864a58156f3e9498fe905:::
直接看到了用户名taqi7对应的密码哈希,由于Windows的SAM数据库遵循以下格式,故taqi7:1000:aad3b435b51404eeaad3b435b51404ee:7f21caca5685f10d9e849cc84c340528:::即为我们要的密码哈希
1 username : RID : LM_hash(已废弃的早期系统认证方案) : NTLM_hash(我们要获取的关键信息) : history : history
然后直接MD5破解一下即可:
[蓝帽杯 2022 初赛]计算机取证_2
题目描述:现对一个windows计算机进行取证,请您对以下问题进行分析解答:制作该内存镜像的进程Pid号是多少?
先扫出内存文件信息,然后题目要求获取进程PID号,这里需要使用pslist指令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 PS D:\> d:\CTF\Lovelymem\Tools\python27\python27.exe d:\CTF\Lovelymem\Tools\volatility2_python\vol.py -f d:\Desktop\1 .dmp --profile =Win7SP1x64_23418 pslistVolatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0 xfffffa800ccc7890 System 4 0 105 623 ------ 0 2022 -04-28 05 :38 :41 UTC+0000 0 xfffffa800d9c3610 smss.exe 288 4 2 29 ------ 0 2022 -04-28 05 :38 :41 UTC+0000 0 xfffffa800e100740 csrss.exe 384 376 9 486 0 0 2022 -04-28 05 :38 :42 UTC+0000 0 xfffffa800e4a3840 wininit.exe 424 376 3 78 0 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e4a7b30 csrss.exe 436 416 10 645 1 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e50b060 winlogon.exe 492 416 5 116 1 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e523910 services.exe 532 424 6 216 0 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e52fb30 lsass.exe 544 424 6 614 0 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e489060 lsm.exe 552 424 11 209 0 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e612630 svchost.exe 660 532 11 357 0 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e638b30 svchost.exe 728 532 8 290 0 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e6553b0 svchost.exe 776 532 21 502 0 0 2022 -04-28 05 :38 :43 UTC+0000 0 xfffffa800e602750 svchost.exe 920 532 17 405 0 0 2022 -04-28 05 :38 :44 UTC+0000 0 xfffffa800e6da4e0 svchost.exe 960 532 42 1121 0 0 2022 -04-28 05 :38 :44 UTC+0000 0 xfffffa800e6f7060 audiodg.exe 1020 776 6 131 0 0 2022 -04-28 05 :38 :44 UTC+0000 0 xfffffa800e722060 svchost.exe 420 532 9 530 0 0 2022 -04-28 05 :38 :44 UTC+0000 0 xfffffa800e749b30 ZhuDongFangYu. 956 532 26 394 0 1 2022 -04-28 05 :38 :44 UTC+0000 0 xfffffa800e75a950 svchost.exe 1040 532 23 636 0 0 2022 -04-28 05 :38 :44 UTC+0000 0 xfffffa800e85b570 spoolsv.exe 1300 532 12 313 0 0 2022 -04-28 05 :38 :45 UTC+0000 0 xfffffa800e88cb30 svchost.exe 1336 532 17 321 0 0 2022 -04-28 05 :38 :45 UTC+0000 0 xfffffa800e907630 svchost.exe 1440 532 4 81 0 1 2022 -04-28 05 :38 :45 UTC+0000 0 xfffffa800e9c6740 vmtoolsd.exe 1548 532 9 276 0 0 2022 -04-28 05 :38 :45 UTC+0000 0 xfffffa800eabd060 svchost.exe 1960 532 5 101 0 0 2022 -04-28 05 :38 :46 UTC+0000 0 xfffffa800eb07b30 dllhost.exe 1612 532 13 186 0 0 2022 -04-28 05 :38 :46 UTC+0000 0 xfffffa800eb36b30 msdtc.exe 2068 532 12 144 0 0 2022 -04-28 05 :38 :48 UTC+0000 0 xfffffa800eabe980 svchost.exe 2512 532 11 146 0 0 2022 -04-28 05 :40 :46 UTC+0000 0 xfffffa800ea79b30 svchost.exe 2584 532 13 335 0 0 2022 -04-28 05 :40 :46 UTC+0000 0 xfffffa800eaa8310 SearchIndexer. 2648 532 11 658 0 0 2022 -04-28 05 :40 :47 UTC+0000 0 xfffffa800ea7a0f0 WmiPrvSE.exe 1792 660 7 114 0 0 2022 -04-28 05 :42 :48 UTC+0000 0 xfffffa800cdf4b30 taskhost.exe 916 532 9 209 1 0 2022 -04-28 05 :42 :55 UTC+0000 0 xfffffa800cdfe210 dwm.exe 972 920 3 70 1 0 2022 -04-28 05 :42 :55 UTC+0000 0 xfffffa800e585b30 explorer.exe 2044 1716 53 1335 1 0 2022 -04-28 05 :42 :55 UTC+0000 0 xfffffa800e83eb30 vmtoolsd.exe 2672 2044 7 209 1 0 2022 -04-28 05 :42 :56 UTC+0000 0 xfffffa800e84f780 ldnews.exe 2664 2044 10 363 1 1 2022 -04-28 05 :42 :56 UTC+0000 0 xfffffa800ea25580 360 Tray.exe 2436 956 150 1455 1 1 2022 -04-28 05 :42 :57 UTC+0000 0 xfffffa800edc8b30 LiveUpdate360. 3500 2288 18 305 1 1 2022 -04-28 05 :43 :13 UTC+0000 0 xfffffa800ee90b30 360 TptMon.exe 4012 3784 17 415 1 1 2022 -04-28 05 :43 :22 UTC+0000 0 xfffffa800ee6bb30 svchost.exe 3316 532 3 57 0 1 2022 -04-28 05 :43 :23 UTC+0000 0 xfffffa800eb76b30 SoftMgrLite.ex 3396 2436 30 360 1 1 2022 -04-28 05 :44 :13 UTC+0000 0 xfffffa800ec4b630 TrueCrypt.exe 3496 2044 5 268 1 1 2022 -04-28 05 :46 :22 UTC+0000 0 xfffffa800ea45b30 TrueCrypt Form 2964 3496 0 -------- 1 0 2022 -04-28 05 :46 :35 UTC+0000 2022 -04-28 05 :47 :59 UTC+0000 0 xfffffa800ed78720 SearchProtocol 2548 2648 7 316 0 0 2022 -04-28 05 :52 :53 UTC+0000 0 xfffffa800ec2e6f0 notepad.exe 2872 2044 1 62 1 0 2022 -04-28 05 :54 :13 UTC+0000 0 xfffffa800f103b30 MagnetRAMCaptu 2192 2044 16 333 1 1 2022 -04-28 05 :54 :30 UTC+0000 0 xfffffa800ea7b910 360 speedld.exe 3880 2436 4 94 1 1 2022 -04-28 05 :54 :54 UTC+0000 0 xfffffa800ef76b30 dllhost.exe 3604 660 6 91 1 0 2022 -04-28 05 :54 :55 UTC+0000
而“制作内存镜像的进程”一般在读取整个物理内存 并在进行文件读写 操作,这类进程一定是一些内存采集工具或取证工具,并常常带有dump/ram/capture/memory等关键词。
而该题目中的MagnetRAMCaptu的名称就已经暴露特征,其是一款名为Magnet RAM Capture 的非常有名、非常标准的内存取证工具,其唯一用途就是抓内存,所以即可确定答案。
